RFC: non-root ssh tun access
Chris Rapier
rapier at psc.edu
Tue Aug 29 07:13:51 EST 2006
Damien Miller wrote:
> On Fri, 25 Aug 2006, Chris Rapier wrote:
>
>> A while ago we developed a series of patches we call PMVPN for Poor
>> Man's VPN. Basically what we did was intercept open() calls and compare
>> the tuple to a set of rules we had (using LD_PRELOAD (windows and OS X
>> required more annoying proceedures that we didn't explore in any
>> depth)). If the rule matched then we'd automatically open an SSH tunnel
>> to the target and forward the appropriate port over it.
>
> You can do something similar with an unmodified ssh, "socksify" and
> DynamicForward
Well, the idea was to integrate things in order to bring greater
security to a larger number of people. The majority of people won't go
to the hassle of paying for and installing socksify and then do all of
the DynamicForward routines from the command line. Its not that
difficult of course, but people generally just won't do it. Our feeling
was that the easier we made it the more people would use it. The more
people that used it the safer we'd all be (the idea of herd immunity).
The end result was going to be a nice GUI so that users wouldn't have to
drop down to the CLI - which turns a lot of people off. I spend a lot of
time supporting users so the easier I make it for them the easier my job
ends up being :)
We might be re-exploring this question in the upcoming year but it
depends on what the grant situation looks like.
Chris
More information about the openssh-unix-dev
mailing list